Currently, my accounts use a mix of SMS two-factor authentication and TOTP apps like Google Authenticator and Symantec VIP.

I certainly recognize the possibility of someone hijacking my mobile phone account and why TOTP apps are more secure (for more background, see this recent thread for example: viewtopic.php?f=11&t=227649)

My question is: One thing I _like_ about SMS two factor is that if some bad guy happens to get my username and password and makes an initial attempt to log in (assuming he hasn't [yet] taken over my phone account), I will get a text message with the two factor code. In other words, if I get such a message without actually trying to log in, it's a pretty obvious sign that someone is trying to access my account. I can then immediately change my password or call the bank/institution, or take some other action.

On the other hand, with TOTP two-factor set up, I would never get a notification that someone is attempting to access the account. Once the "bad guy" sees that a TOTP code is required, they can then decide to call the bank/institution and use some social engineering to bypass the TOTP requirement, with plenty of time to do so, since I will not know anyone is trying to access the account.

Has this thought occurred to anyone else? It's too bad that Authenticator (or VIP or whatever app) doesn't have a way to send notifications to the user when someone tries to access a protected account. Any ideas? Or am I just wrong to think that this is a drawback of the TOTP apps?

(BTW, I had to reset my phone back to factory defaults some time ago - I called Fidelity to "reset" my VIP access, and it just took answering one very simple-to-guess security question for them to reset the VIP access. Sure, I was calling from the phone # associated with my account, but it was still surprisingly easy to bypass the TOTP security.)

Has this thought occurred to anyone else? It's too bad that Authenticator (or VIP or whatever app) doesn't have a way to send notifications to the user when someone tries to access a protected account. Any ideas? Or am I just wrong to think that this is a drawback of the TOTP apps?

It's not really Authenticator's job, though -- plus how would an app installed on your phone even know that someone else tried to log into your account?

The real solution to this is that the place you are logging into needs to handle it. Google and Facebook both do this. I receive an email (and maybe an SMS as well but I don't recall) instantly saying "We received a login from a computer you haven't used before. If this wasn't you contact us immediately." I'm sure many other places do the same thing but Google and Facebook are the ones I remember off the top of my head.

Currently, my accounts use a mix of SMS two-factor authentication and TOTP apps like Google Authenticator and Symantec VIP.

I certainly recognize the possibility of someone hijacking my mobile phone account and why TOTP apps are more secure (for more background, see this recent thread for example: viewtopic.php?f=11&t=227649)

My question is: One thing I _like_ about SMS two factor is that if some bad guy happens to get my username and password and makes an initial attempt to log in (assuming he hasn't [yet] taken over my phone account), I will get a text message with the two factor code. In other words, if I get such a message without actually trying to log in, it's a pretty obvious sign that someone is trying to access my account. I can then immediately change my password or call the bank/institution, or take some other action.

On the other hand, with TOTP two-factor set up, I would never get a notification that someone is attempting to access the account. Once the "bad guy" sees that a TOTP code is required, they can then decide to call the bank/institution and use some social engineering to bypass the TOTP requirement, with plenty of time to do so, since I will not know anyone is trying to access the account.

Has this thought occurred to anyone else? It's too bad that Authenticator (or VIP or whatever app) doesn't have a way to send notifications to the user when someone tries to access a protected account. Any ideas? Or am I just wrong to think that this is a drawback of the TOTP apps?

(BTW, I had to reset my phone back to factory defaults some time ago - I called Fidelity to "reset" my VIP access, and it just took answering one very simple-to-guess security question for them to reset the VIP access. Sure, I was calling from the phone # associated with my account, but it was still surprisingly easy to bypass the TOTP security.)

slin

Fidelity now has voice authentification so a stranger claiming to be you should get detected. However even that isn’t perfect. I called in one time and the rep said the VA wasn’t working because he was having “computer problems” then asked me a security question that anybody with any level of personal knowledge would have easily guessed.

Has this thought occurred to anyone else? It's too bad that Authenticator (or VIP or whatever app) doesn't have a way to send notifications to the user when someone tries to access a protected account. Any ideas? Or am I just wrong to think that this is a drawback of the TOTP apps?

It's not really Authenticator's job, though -- plus how would an app installed on your phone even know that someone else tried to log into your account?

It depends on the architecture. Take Microsoft's Authenticator, for example. When you take some action (login or otherwise) that requires a second factor, the Authenticator app issues a notification that idenifies the transaction with a code like KQXPL and asks you to accept or deny. Click accept on your phone, and you're logged in on the PC. Entrust can do something similar, and their tech can be rolled into other people's native apps.

Even when that tech is present, you can still use the TOTP token on the device, even if the device is offline and can't receive the notification.

Fidelity now has voice authentification so a stranger claiming to be you should get detected. However even that isn’t perfect. I called in one time and the rep said the VA wasn’t working because he was having “computer problems” then asked me a security question that anybody with any level of personal knowledge would have easily guessed.

I seem to recall that anytime I call Fidelity, they ask for something beyond a garden-variety security question. But I admit, I haven't been thorough about keeping track of this.

I have a couple of questions:

1. Are you considering going back to an authentication system that doesn't use voice verification? Fido added VV to my account (due to a misunderstanding) and I'm considering rolling it back. I thought the fallback to VV would be username / password and then gibberish security questions and/or transactional questions, but maybe not.

2. What exactly does "computer problems" mean? Did it affect only the voice verification system and not any other system?

Fidelity now has voice authentification so a stranger claiming to be you should get detected. However even that isn’t perfect. I called in one time and the rep said the VA wasn’t working because he was having “computer problems” then asked me a security question that anybody with any level of personal knowledge would have easily guessed.

I seem to recall that anytime I call Fidelity, they ask for something beyond a garden-variety security question. But I admit, I haven't been thorough about keeping track of this.

I have a couple of questions:

1. Are you considering going back to an authentication system that doesn't use voice verification? Fido added VV to my account (due to a misunderstanding) and I'm considering rolling it back. I thought the fallback to VV would be username / password and then gibberish security questions and/or transactional questions, but maybe not.

I see no reason not to use VA. It is an added layer of security. If for some reason it doesn’t work they go back to their standard procedure.

I will say in the past I rarely called but if I did I didn’t try to enter my user I’d and PW in the phone because they were long and complex. The result was I’d have to answer a few security question with rep. That’s convenient but not very good security on their part.

Bottom line they can add security features, like authenticators or VA, which helps, but their weakest link will probably always be very clever hackers armed with a lot of personal information and very skilled at impersonating somebody who needs and should have access. I don’t see any way around that.

2. What exactly does "computer problems" mean? Did it affect only the voice verification system and not any other system?

I never considered this a potential drawback of Google Authenticator. My main concern has been what I would do if I lost my phone with Authenticator, since there isn't any native support for backup. For that reason, I keep around a worthless Nexus 5 that exists solely to run Authenticator if I need it. Authenticator is part of my nightly backup through Titanium Backup on my main phone, which is encrypted and synced to Google Drive.

That only works for Google account access. I have a number of accounts using Google Authenticator without another option for 2FA, so losing my phone, or my phone dying could result in permanent loss of access to those accounts.

That only works for Google account access. I have a number of accounts using Google Authenticator without another option for 2FA, so losing my phone, or my phone dying could result in permanent loss of access to those accounts.

When you sign up for 2 factor, either at google or other places, you can choose to get the underlying code rather than the QR code. This can be entered manually into the authenticator app, but it can also be stored in a secure password manager, or a second device.

When you sign up for 2 factor, either at google or other places, you can choose to get the underlying code rather than the QR code. This can be entered manually into the authenticator app, but it can also be stored in a secure password manager, or a second device.

When you sign up for 2 factor, either at google or other places, you can choose to get the underlying code rather than the QR code. This can be entered manually into the authenticator app, but it can also be stored in a secure password manager, or a second device.

Isn't that code only good for one-time use?

No, I am talking about the code you enter into google authenticator or whatever app you're using so that it can generate your future codes. It's the same information that gets scanned in the QR codes, but just in digit form rather than QR code form.

When I login, there are notices of failed login attempts. (I don't always hit the correct keys, so these have
always been my fault, but I would see if someone had tried.) This is after the fact though, not real time, unless I
were already logged in.

Bottom line they can add security features, like authenticators or VA, which helps, but their weakest link will probably always be very clever hackers armed with a lot of personal information and very skilled at impersonating somebody who needs and should have access. I don’t see any way around that.

I pinned Fidelity down today and was satisfied with their answers. They answered my questions on VV, and re: the fallback, they reiterated they don't use Equifax-type data, and that jibes with what I've observed in the past. I've also never been asked information that would be easily guessable by someone with a lot of personal information on me. So no changes for now. No system is perfect, but it seems good enough, especially when backed by their guarantee (which I still have to read the fine print on, but basically, per the rep, means you don't share your logon credentials with anyone.)

Bottom line they can add security features, like authenticators or VA, which helps, but their weakest link will probably always be very clever hackers armed with a lot of personal information and very skilled at impersonating somebody who needs and should have access. I don’t see any way around that.

I pinned Fidelity down today and was satisfied with their answers. They answered my questions on VV, and re: the fallback, they reiterated they don't use Equifax-type data, and that jibes with what I've observed in the past. I've also never been asked information that would be easily guessable by someone with a lot of personal information on me. So no changes for now. No system is perfect, but it seems good enough, especially when backed by their guarantee (which I still have to read the fine print on, but basically, per the rep, means you don't share your logon credentials with anyone.)

Who is one of your beneficiaries of your accounts? That was a question that was asked. Two different times.

Who is one of your beneficiaries of your accounts? That was a question that was asked. Two different times.

Wow.

When I had to reset my phone (and thus needed to resync with a new instance of Symantec VIP), Fidelity asked me my account #. I didn't know it offhand (so that should have been a "strike" if I was a bad guy). So they asked who the beneficiary of my account was, and what their birthday was. Not too surprisingly, the beneficiary of my account is my spouse. That didn't seem like too hard of a guess, and of course my spouse's birthday is probably not a huge secret either.

I was calling from the phone # associated with the account, and I had already entered my username/password on the phone. So maybe that helped, but in general the whole process somewhat lessened my confidence in TFA and TOTP apps!

Last edited by fast_and_curious on Sat Oct 21, 2017 3:25 pm, edited 1 time in total.

Who is one of your beneficiaries of your accounts? That was a question that was asked. Two different times.

Wow.

Wow is right. JBTX, was that a recent occurrence?

FWIW, now that I'm thinking way way back, think I was asked that quesiton once but it was not recently, and I don't believe that was the only question asked.

If that IS the only question asked, that is scary.

I did manage to come up with one other scenario where the fallback security question system is not bulletproof. (I won't post it here for obvious reasons.) I think it's unlikely to happen unless someone was being specifically targeted by a hacker, but I think financial companies have a lot of room for improvement.

The problem with financial companies and their security departments is that they probably don't adequately enough "think like a criminal". I think that mindset is needed for them to hermetically seal their customer's assets.

But again, their fallback is that you're made whole as long as you follow the rules.

I'm going to have another talk with Fidelity. I think if enough customers call in, their IT/security department will beef up things a bit.

The problem with financial companies and their security departments is that they probably don't adequately enough "think like a criminal". I think that mindset is needed for them to hermetically seal their customer's assets.

I think the problem is that if they make it too hard to recover from a lost TOTP token (or otherwise gain access to your accounts), customers get frustrated as well. I've seen posts here on bogleheads before where some customers are irritated at a variety of financial institutions because for "security reasons" they have to wait for a paper letter or are otherwise inconvenienced. From the companies' perspective, it's kind of damned if you do, damned if you don't, and I think it is legitimately hard for them to draw the line between security and convenience.

I think the problem is that if they make it too hard to recover from a lost TOTP token (or otherwise gain access to your accounts), customers get frustrated as well. I've seen posts here on bogleheads before where some customers are irritated at a variety of financial institutions because for "security reasons" they have to wait for a paper letter or are otherwise inconvenienced. From the companies' perspective, it's kind of damned if you do, damned if you don't, and I think it is legitimately hard for them to draw the line between security and convenience.

I think (hope) Equifax was a game-changer.

There are a lot of concerned people -- some with a with a lot of assets -- who suddenly feel as if their security blanket has been pulled.

I've never felt my input to Fidelity counted for much because of the sort of people you mention...the ones who hate to be inconvenienced.

But I think Fidelity has a large base of individual investors with a lot of assets that would be willing, and in fact, would demand, better security at this point.

It would not be a bad idea for Fidelity investors to call up and express their concerns about the nature of fallback security questions. If they're going to use something as easily guessable as beneficiaries, at the very least, they need to have multiple questions that are NOT easily guessable. Since the fallback option is needed only rarely anyway, it really isn't that much of an inconvenience.

I did manage to come up with one other scenario where the fallback security question system is not bulletproof. (I won't post it here for obvious reasons.) I think it's unlikely to happen unless someone was being specifically targeted by a hacker, but I think financial companies have a lot of room for improvement.

If this is specific to a particular company (say, Fidelity), please consider reaching out to their security department and try to get them to fix it.

If you face push-back or get ignored, consider reaching out to the likes of Bruce Schneier or Brian Krebs.

Not posting it here in public is fine ( ) as long as the loophole gets fixed somehow (reputable security researchers give the companies affected advanced notice to give them the opportunity to fix an issue before they publish their work). But don’t count on bad guys not thinking of or even already knowing the same flaw if you just keep it to yourself.